ssh without the password prompt
Did a search but none of the many topics on this I found helped me.
Box A has sshd running. Box B has ssh and is the one i'm trying to connect from. On Box B I first ran ssh-keygen -t dsa entered the password and it created the id_dsa & .pub files. On Box A created a dir in /home/ called .ssh and copied the id_dsa.pub over and renamed it to authorized_keys On Box B ran: ssh 111.111.111.111 it prompted for pass, entered this and it added Box A to known hosts and connects fine. When trying to setup the public key: On Box B ran: ssh-agent /bin/bash ssh-add *it then prompts for the passphrase which I enter (the password from above). ssh-add -l *shows that the key is there ssh 111.111.111.111 * which prompts for password (which I believe it shouldn't) Any ideas? Cheers All :confused: |
Connecting thru ssh, it should and will always ask for the users password by default to login. It doesn't just read the keys and assume you are who you say you are.
|
Hi there.
Copy the public key to /home/whoever/.ssh2 on the box you want to connect to. Edit a file in that directory called authorization and insert the following line... Key id_dsa_1024_b.pub That is assuming that the key you generated was id_dsa_1024_b.pub Assuming you did this correctly you will then be able to connect from the box that you generated the key on without a password. |
Hi markehb,
you are almost there: the only thing you have to do is leave the password empty when generating the keypair. Hope it was of any help Pollyanna |
tried that, no joy :cry:
stupid newbie question in my sshd.conf I uncommented the line: AuthorizedKeysFile ~/.ssh/authorized_keys what does the ~ mean? is it like the root dir? |
Try again, I use it to grab backups during the night.
Remove the key you generated, run ssh-keygen, do not use a password or a passphrase. Copy the key over as I said before. If you still have trouble I can send you a script that will automate it for you. |
The ~ is the home directory
|
no joy again, deleted the pair. created a new one with no passphrase, copied the id_dsa.pub file into /home/mark/.ssh2/ (on the host)
created a file called authorization in the same dir and put in it: Key id_dsa.pub still prompts for password, not even the passphrase. starting to bug me now :scratch: |
What is the output of ssh -V and is it the same on both machines?
|
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
and is the same on both. |
Ok. Sorry for the delay. Had to build a second machine for testing.
Anyway , I have it working. Here is what I did.... Left the sshd_config file alone, no changes. Ran ssh-keygen -t dsa, did not enter a passphrase. Scp'd id_dsa.pub to my /home/me/.ssh/ directory on the test machine Touched a file called authorized_keys brad@test:~/.ssh$ cat id_dsa.pub > authorized_keys brad@brad:~/.ssh$ ssh 10.10.1.234 Last login: Tue Mar 23 13:14:29 2004 from brad.caledoncard.ca Linux 2.4.22. You will be imprisoned for contributing your time and skill to a bank robbery. brad@test:~$ It works. Sorry, should have asked your versions earlier. |
on the remote I have a dir called ~/mark/.ssh/
which in it has the 2 pair files id_dsa and id_dsa.pub as well as known.hosts on the host (running sshd) I have a dir called: ~/.ssh/ that has 600 permissions created by owned by user and group 'mark' In which there is an exact copy of id_dsa.pub called authorized_kels but without the linebreak after it (cos apparently that causes probs). This is also set to 600 with and owned by user and group mark. Can you put up your sshd_config, so I can make sure they're the same? Then I'll delete everything and start again, without changing anything. I also think I have a permissions prob cos even tho the user 'mark' is part of the root group it still doesn't have permissions to write to dir's etc created by root, which is why the authorized_keys etc is owned by mark and not root, whether thats right or not I dont know. Cheers for your help btw :) |
usually ssh behaves somehow like rsh.
Did you create an .rhosts or .shosts file in $HOME for user specific settings? Did you checked the /etc/hosts.equiv, hosts.allow, hosts.deny files for system wide settings? Usually a ~/.shosts file containing the host name or IP of the remote part should be enough to omit the input of the password. Erik |
no, the .rhosts .shosts bit, what I need to do?
yes, to the hosts.equiv/allow/deny |
try creating a .shost file containing just the IP adress or the hostname of the remote host you want to log in without pwd as the only entry per line.
On host A: ~/.shosts: with the content hostname_of_host_B On host B: ~/.shosts hostname_of_host_A If the names can not be resolved, use IP adresses. There should also be soomething in the man pages of ssh... good luck ;) Erik |
cheers, but no joy.
|
Hi.
On the machine that you want to log into without a password you should have the public key that was generated by running ssh-keygen on the machine that you want to connect from. The private key stays on the machine that you are connecting from. The ~/mark/.ssh directory should have 700 permissions, owner mark, group users The id_dsa.pub should be called just that, the id_dsa private key has to know what to look for. Cat the key (id_dsa.pub) to an empty authorized_keys file Here is my sshd_config # $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCreds yes # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may # bypass the setting of 'PasswordAuthentication' #UsePAM yes #AllowTcpForwarding yes #GatewayPorts no#PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server Good luck, take it step by step and it will work. #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys |
done it! 4 days of frustration and surfing the net overwith.
Thanks Mako your a star, thanks everyone who helped :) w00t! :newbie: |
Congratulations !
Have fun. |
spoke to soon, tried to rsync using ssh works fine without prompt, then tried doing it in a cron job and gets permission denied.
So I removed .shost (which I think it doesn't need to do it this way) and just gets the password prompt again. |
The cron job...are you using scp?
If so, plug in the full path. And, do you mean that you can now no longer connect via ssh without a password prompt? |
not using scp doing:
rsync -ave ssh mark@111.111.111.111/var/www/html/ /var/www/html/ and yes after removing .shosts it now prompts for a password again. |
Ok, I just tested it and it works.
used the command.... rsync -av --rsh="ssh -i .ssh/id_rsa" brad@10.10.1.234:/home/brad/ /home/brad/ Here is the output.... brad@brad:~$ rsync -av --rsh="ssh -i .ssh/id_rsa" brad@10.10.1.234:/home/brad/ /home/brad/ Warning: Identity file .ssh/id_rsa does not exist. receiving file list ... done wrote 16 bytes read 274 bytes 580.00 bytes/sec total size is 5734 speedup is 19.77 brad@brad:~$ Did you make any directory permission changes or anything like that? |
you haven't got .shosts have you? i'll try forcing it to use the key, though on yours it didn't find it?
permissions are 755 on the .ssh dir on the host 600 on authorized_keys. and 600 on the private key file on the remote. |
It whined but did what it was supposed to.
Check this out... http://lists.samba.org/archive/rsync...er/007404.html |
Grrr......
That should be /rsync/2003-October/ in the middle of that url.... |
s'ok, the link worked fine :), the board just truncated the middle to make it shorter. reading it now
|
nope, still not working, gonna ping it out the window in a min
|
All times are GMT -5. The time now is 07:06 PM. |